Closed Bug 531298 Opened 15 years ago Closed 15 years ago

TM: Crash [@ GetFinalizableArenaTraceKind] with gc

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: gkw, Assigned: dvander)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:critical?] fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

fix
761 bytes, patch
dmandelin
: review+
Details | Diff | Splinter Review 
(function() {
  (eval("\
    (function() {\
      let(e)((function() { ((function f(a) {\
          if (a < 1) {\
            return 1\
          }\
          x = arguments;\
          return f(a - 1) + f(a - 2)\
        })(6))\
      })())\
    })\
  "))()
})()
gc()


crashes js debug shell with -j on TM tip at GetFinalizableArenaTraceKind at seemingly a scary address.

Security-sensitive also because this involves gc. Assuming [sg:critical?] till someone more knowledgeable examines this issue.

autoBisect coming up.. (Rewrite to support 64-bit / 32-bit js shell compilation in progress! Also moving on to Python from Bash, 'bout time)


=====

Starting program: /Users/skywalker/Desktop/jsfunfuzz-dbg-tm/js-dbg-tm-darwin -j ../2interesting/w29847-reduced.js
Reading symbols for shared libraries .++++..................................................................................... done

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: 13 at address: 0x0000000000000000
0x000000010006b4a2 in GetFinalizableArenaTraceKind (a=0xdadadadadadadfd8) at ../jsgc.cpp:811
811         JS_ASSERT(a->list);
(gdb) bt
#0  0x000000010006b4a2 in GetFinalizableArenaTraceKind (a=0xdadadadadadadfd8) at ../jsgc.cpp:811
#1  0x000000010006ef86 in JS_CallTracer (trc=0x7fff5fbfe7d0, thing=0xdadadadadadadada, kind=0) at ../jsgc.cpp:2162
#2  0x0000000100063b3f in args_or_call_trace (trc=0x7fff5fbfe7d0, obj=0x1003db840) at ../jsfun.cpp:681
#3  0x00000001000b5fb9 in js_TraceObject (trc=0x7fff5fbfe7d0, obj=0x1003db840) at ../jsobj.cpp:5931
#4  0x000000010006e51e in JS_TraceChildren (trc=0x7fff5fbfe7d0, thing=0x1003db840, kind=0) at ../jsgc.cpp:1923
#5  0x000000010006f01d in JS_CallTracer (trc=0x7fff5fbfe7d0, thing=0x1003db840, kind=0) at ../jsgc.cpp:2183
#6  0x00000001000b6142 in js_TraceObject (trc=0x7fff5fbfe7d0, obj=0x1003db000) at ../jsobj.cpp:5956
#7  0x000000010006e51e in JS_TraceChildren (trc=0x7fff5fbfe7d0, thing=0x1003db000, kind=0) at ../jsgc.cpp:1923
#8  0x000000010006f01d in JS_CallTracer (trc=0x7fff5fbfe7d0, thing=0x1003db000, kind=0) at ../jsgc.cpp:2183
#9  0x000000010006f1d9 in js_TraceStackFrame (trc=0x7fff5fbfe7d0, fp=0x7fff5fbff3b0) at ../jsgc.cpp:2326
#10 0x000000010006fcee in js_TraceContext (trc=0x7fff5fbfe7d0, acx=0x1004114c0) at ../jsgc.cpp:2467
#11 0x00000001000704dd in js_TraceRuntime (trc=0x7fff5fbfe7d0, allAtoms=0) at ../jsgc.cpp:2555
#12 0x0000000100071742 in js_GC (cx=0x1004114c0, gckind=GC_NORMAL) at ../jsgc.cpp:3114
#13 0x00000001000156eb in JS_GC (cx=0x1004114c0) at ../jsapi.cpp:2450
#14 0x0000000100008117 in GC (cx=0x1004114c0, argc=0, vp=0x100875e28) at ../../shell/js.cpp:1121
#15 0x000000010008e00d in js_Interpret (cx=0x1004114c0) at jsops.cpp:2270
#16 0x00000001000a1a53 in js_Execute (cx=0x1004114c0, chain=0x1003db000, script=0x100414030, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1619
#17 0x0000000100010b61 in JS_ExecuteScript (cx=0x1004114c0, obj=0x1003db000, script=0x100414030, rval=0x0) at ../jsapi.cpp:4948
#18 0x00000001000091c6 in Process (cx=0x1004114c0, obj=0x1003db000, filename=0x7fff5fbff89e "../2interesting/w29847-reduced.js", forceTTY=0) at ../../shell/js.cpp:439
#19 0x0000000100009e0c in ProcessArgs (cx=0x1004114c0, obj=0x1003db000, argv=0x7fff5fbff738, argc=2) at ../../shell/js.cpp:848
#20 0x000000010000a123 in main (argc=2, argv=0x7fff5fbff738, envp=0x7fff5fbff750) at ../../shell/js.cpp:4860
(gdb) l
806     }
807
808     static inline size_t
809     GetFinalizableArenaTraceKind(JSGCArenaInfo *a)
810     {
811         JS_ASSERT(a->list);
812         return GetFinalizableTraceKind(a->list->thingKind);
813     }
814
815     static void
(gdb) x a
0xdadadadadadadfd8:     Cannot access memory at address 0xdadadadadadadfd8
(gdb)
If this affects 192 this is a blocker.
This occurs both in 64-bit and 32-bit js shells in 10.6.2.
autoBisect rewrite put on hold. After tweaking it to work on 10.6.2,

autoBisect shows that this is probably related to the tracerecursion bug:

http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=89e665eb9944&tochange=58c8861b79df
Blocks: tracerecursion
Attached patch fixSplinter Review 
js_PopInterpFrame needs to handle argsobjs.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #415212 - Flags: review?(dmandelin)
Attachment #415212 - Flags: review?(dmandelin) → review+
http://hg.mozilla.org/tracemonkey/rev/09b80a7f3331
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?] fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/09b80a7f3331
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Group: core-security
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Crash Signature: [@ GetFinalizableArenaTraceKind]
Tracer has been long gone on trunk, marking verified.
Status: RESOLVED → VERIFIED
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: